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Abstract — This paper presents a recursive computational 
multi-secret sharing technique that hides fc — 2 secrets of size 
b each into n shares of a single secret S of size b, such that any 
k of the n shares suffice to recreate the secret 5* as well as all 
the hidden secrets. This may act as a steganographic channel 
to transmit hidden information or used for authentication and 
verification of shares and the secret itself. Further, such a 
recursive technique may be used as a computational secret 
sharing technique that has potential applications in secure and 
reliable storage of information on the Web, in sensor networks 
and information dispersal schemes. The presented technique, 
unlike previous computational techniques, does not require the 
use of any encryption key or storage of public information. 

I. Introduction 

An information theoretically secure fc-out-of-n secret shar- 
ing technique used to share a secret of size b requires a total 
storage space of size b ■ n. Since, fc — 1 shares do not reveal 
any information about the secret, such techniques use fc — 1 
random elements of size b in order to create the shares. In this 
paper, we propose that these random elements be replaced with 
certain hidden information that may serve as a steganographic 
channel. Note that if a secret sharing scheme uses fc— 1 random 
elements then fc — 1 is the upper limit on the number of secrets 
that can be hidden. We hide fc— 2 secrets which is near optimal. 

If user A transmits a secret message to user B over a 
public channel, he may divide the message into several pieces 
(possibly redundant) and send the pieces on parallel channels, 
such that an eavesdropper may need to compromise at least fc 
out of n channels to retrieve the message. B upon receiving 
the pieces may reconstruct the message and authenticate it 
using the signed hash of the message that A sends to B. 
Transmission of this signature is an additional burden on the 
network. In the proposed scheme, A may hide the signature 
within the pieces of the message that is transmitted. 

Information dispersal schemes for distributed storage net- 
works primarily use computational secret |[T|, flZj sharing 
schemes. In general, in a computational secret sharing scheme 
an encryption key is used to encrypt the secret that is to be 
securely stored/transmitted. The encrypted message is then 
divided into several (possibly redundant) pieces. The key is 
divided into shares using conventional secret sharing tech- 
niques and these shares are stored along with the pieces of 
the encrypted message, as an overhead JSj, ||4l, 



In a multiparty scenario, such as in secret sharing, the hid- 
den information may be used as a means of authentication of 
the share (and of reconstructed secret), thus provide cheating 
detection. For example, the dealer may hide a "specially" 
chosen message in the shares of the secret and distribute the 
hash of this message to all the players along with the shares. 
The players may later reconstruct the secret and the hidden 
message, find the hash of the hidden message and verify it 
against the hash they have. 

The presented scheme may be used as a multi-secret shar- 
ing scheme that uses Shamir's secret sharing scheme as its 
building block and encodes fc — 2 additional secrets within the 
shares of the message originally intended to be shared. And 
the scheme may be used as a computational secret sharing 
scheme, effectively resulting in smaller shares, by dividing a 
secret into smaller pieces and then simulating a multi-secret 
sharing scheme. Since the proposed algorithm generates shares 
on the order of size of secrets encoded, smaller pieces will 
give rise to smaller shares. Moreover, the proposed scheme 
does not require any encryption key. 

An efficient method for sharing multiple secrets with se- 
curity based on assumption of hardness of discrete logarithm 
problem is presented in (|5|. Whereas ||6l proposes a scheme 
based on systematic block codes and fTl propose schemes 
based on Shamir's secret sharing scheme but require a large 
amount of side information to be stored as public knowldege 
and further JS), Q, fSl attempt to maintain ideal security. 
Other schemes Q, JTOI focus at improving efficiency of com- 
putations involved in share creation and secret reconstruction 
rather than space and transmission efficiency. 

In an earlier paper [11 j , [121, a 2-out-of-2 (k — 2 and 
n ~ 2) recursive scheme for secret sharing was proposed. In 
this method, if fc secrets are chosen such that they double in 
size, then all of the smaller secrets can be recursively stored in 
the shares of larger secrets, so that two shares of size 2™ can 
encode 2™+^ — 1 bits of information. For example, if we are 
to share 3 secrets si = 1, S2 = 01, and S3 = 1011, then the 
two shares for si would be D^ii = and Dsi2 = 1; where 
exclusive-OR operation is used for secret reconstruction. The 
shares of si can be used to create two shares of S2 as follows: 
D,,i = i^,,iO = 00 and Ds,2 = 0D,,2 = 01. Here D.^iO 
denotes concatenation of share 1 of secret si with 0; and 



0Z?si2 denotes concatenation of with share 2 of secret si, 
and so on. Similarly, we can recursively use the shares of 
S2 to create the shares of S3: Dg^i — I?s2ilO — 0010 and 
Ds32 — 10-Ds22 = 1001. As a result, the final two shares for 
all the three secrets are 0010 and 1001. Consequently, using 
8 bits of shares we have encoded 7 bits of secrets. This is in 
comparison with conventional methods that would require a 
total 14 bits of shares. 

The above efficiency increase is obtained as a tradeoff 
against security of the scheme. A non-recursive scheme would 
require 7 bits for each share but the recursive scheme requires 
4 bits per share, and a player only needs to determine 4 bits to 
break the scheme. However, in practice secrets are thousands 
of bits long. For example, a secret of 1048 bits length would be 
encoded in approximately 1024 bits per share, and would still 
require 2^°^^ combinations to break. This may be sufficient 
for many cases. 

II. Space efficient secret sharing 

We propose a method to hide k — 2 secrets of size b, within 
the shares of a secret S of size b, using a (fc, n) modified 
Shamir's secret sharing scheme. The secret is divided into n 
shares using modified Shamir's secret sharing scheme such 
that any k of them can be brought together for reconstruction. 
Algorithm 1 (Modified Shamir's secret sharing scheme) 

1) Choose a prime p,p> max{S, n), where S is the secret. 

2) Choose k — 1 random numbers yi, y2, yk-i, uni- 
formly and independently, from the field Zp. 

3) Map these random numbers y^s as y coordinates of 
points: {i,yi), for all 1 < j/i < (fc — 1). 

4) Map the secret S as point (0, S). 

5) Using k points (z, yi), for all 1 < yi < (fc— 1) and (0, S) 
interpolate a polynomial p{x) of degree fc — 1 modulo 
prime p. 

6) Sample p{x) at n points Di = p{i), k<i<k + n — 1 
such that the shares are given by {i,Di). 

The reconstruction procedure for the secret follows the 
conventional method (131 . 

Now consider k — 2 secrets siS2---Sk-2, Si G Zp for all 
1 < i < (A: — 2) or pieces of a larger message. Therefore our 
task is to recursively hide s^'s within the shares of secret S. 
Further, we use the notation yi„i to denote the y-coordinates of 
points. Here the first subscript I is the index of the step in the 
recursive process and subscript m is index of share to which 
that j/-coordinate belongs to. For example, the j/-coordinate of 
share 3 in the 5*'' recursion is written 7/53. 

The proposed algorithm works as follows - randomly and 
uniformly choose a number yn and map it as point (l,j/ii). 
Using (0, si) and (l,?/ii) interpolate P* degree polynomial 
Pi(x). Sample pi{x) at two points 2/21 ~ Pi{x ~ 2) and 
2/22 — Pi{x — 3). Now map the sampled points as (1, ?/2i) and 
(2,2/22)- Using the next piece as point (0,52) and the newly 
generated points (1,2/21) and (2,2/22) interpolate 2"^^ degree 
polynomial P2{x). Evaluate P2{x) at 3 points 2/31 — P2{x ~ 
3), 2/32 = P2{x = 4), and 2/33 ^ P2{x = 5). We then use 
these 3 points as y-coordinates for x=l, 2, 3 and along with 



the third piece of the message as point (0, S3) interpolate 3'"'' 
degree polynomial P3{x). We continue this process until we 
have used all the pieces and reached (0, Sfc_2) and interpolated 
(fc— 2)*'* degree polynomial pfe-2(a;)- We then sample pfc_2 (a;) 
at fc - 1 points 2/(A;-i)i = Pk-2{k - 1), 2/(fc-i)2 = Pk-2{k), 
2/(fc-i)3 = Pk-2{k + 1), 2/(fe-i)(fe-i) = Pfe-2(2fc - 3). 

Mapping these fc — 1 samples as points (1, 2/(fc-i)i)^ 
(2,2/(fc-i)2), (k - l,2/(fc-i)(fe-i)) along with (0,5) con- 
struct a (fc — 1)*'* degree polynomial pk-i{x). We can now 
sample pk-i{x) at n points such that any fc points would 
reconstruct the secret and the hidden information. 

The process of share creation and information hiding is 
formally described in Algorithm 2. 
Algorithm 2 - Dealing Phase 

1) Consider fc — 2 secrets Si G Zp, 1 < « < (fc — 2). 

2) Choose prime p ~ max{si, S), for all 1 < i < fc — 2. 

3) Randomly and uniformly choose a number 2/11 G Zp 
and map it as point (1, 2/11). 

4) Do for 1 < i < (fc - 2) 

a) Interpolate points (0,Si) and {j,yij), for all 1 < 
j < i to generate a i*^^ degree polynomial Pi{x). 

b) Sample the polynomial Pi{x) at i + 1 points: 
y(i+i)j = Piii + i), for all 1 < J < (i + 1). 

c) Map the i + 1 points as: {j,y{i+i)j), for all 1 < 
J < (* + !)■ 

5) Interpolate points (0,5) and (j, 2/(fe-i)j)' for all 1 < 
j < (fc — 1) to generate (fc — 1)*'' degree polynomial 

Pk-i{x). 

6) Sample pk-i{x) at n points to generate n shares: 
{i,Pk-i{i)), for all fc < i < fc + n — 1. 

Algorithm 2 - Reconstruction Phase 

1) Interpolate any fc shares to generate (fc — 1)*'' degree 
polynomial (a;) = S + aix + a2x'^ + ... + ak-ix''^^ . 

2) Evaluate S ^ pk-iiO)- 

3) Do for i = k — 2 down to 1 

a) Map the coefficients of polynomial Pi{x) as points: 
(j, aj), for all (i + 1) < j < 2{i + 1). 

b) Interpolate (j, Oj), for all (i + 1) < j < 2{i + 1), 
to generate polynomial Pi{x) of degree i. 

c) Evaluate Si = Pi (0). 

Security of the proposed method: Algorithm 2 works by 
repetitive application of Algorithm 1. The first iteration of 
the algorithm is a direct application of (2, 2) Shamir's secret 
sharing scheme. It uses a polynomial of degree 1 and generates 
two shares for the first secret Si of the message. These two 
shares may be viewed as random numbers, such that given 
any number r e "Lp, Pr{r = 2/21) = Pr{r = 2/22) = ^■ 
They are then used to create a quadratic equation along with 
the second secret S2 mapped at x=Q (the free term of the 
equation). This quadratic equation is then sampled at 3 points 
to generate 3 shares of S2. These three shares are then used as 
random points to generate a 4*'* degree equation and encode 
S3 and so on, until we have encoded all the fc — 2 pieces and 
generated fc — 1 shares. These fc — 1 shares are then used as 
points along with secret 5 at a;=0 to generate a polynomial 



of degree k — 1, which can then be sampled at n points to 
create the final shares. These final shares have the shares of 
the smaller pieces hidden within them. The security of the 
protocol is predicated upon the random and uniform choice of 
the first coefficient j/n. 

Example. Suppose we want to hide 3 secrets si = 46, S2 = 
69, and S3 — 72 within the shares of a secret 5=65. Let 
fc = 5 and n — 7, i.e. we are to create 7 pieces such that 5 of 
them must come together to recreate the secret and the hidden 
message. We execute the algorithm as follows, 

1) Choose a prime p = 131. 

2) Randomly and uniformly choose a number iju E Z131, 
say yii = 102. Map it as point (1, 102). 

3) Interpolate (0,si) = (0,46) and (1,102) to generate 
Piix) — 56x + 46. 

4) Sample pi{x) at two points a; = 2, 3: 1/21 — Pi (2) — 27 
and y22 = Pi{3) = 83. 

5) Map these new points as (l,j/2i) — (lj27) and 
(2,y22) = (2,83). 

6) Interpolate (0,52) = (0,69), (1,27) and (2,83) to 
generate P2{x) = 49a;^ + 40a:: + 69. 

7) Sample P2{x) at three points x = 3, 4, 5: 2/31 — P2(3) = 
106, y32 = P2(4) = 96 and ^33 = p2{5) = 53. 

8) Map the new points as: (1,1/31) = (1,106), (2,^32) = 
(2,96) and (3,2/33) = (3,53). 

9) Interpolate (0,33) = (0,72), (1,106), (2,96) and 
(3, 53) to generate ps^x) = lllx^ + 38x^ + 16x + 72. 

10) Sample P3{x) at 4 points x — 4,5, 6, 7: j/41 = Psi^) — 
119, y42 = P3{5) = 43, y43 = Pa (6) = 98 and 2/44 = 
P3(7) = 33. 

11) Map the new points as (1,2/41) = (1,119), (2,2/42) — 
(2,43), (3,2/43) = (3,98) and (4,2/44) = (4,33). 

12) Interpolate (0,5) (0,65), (1,119), (2,43), (3,98) 
and (4, 33) to generate p4{x) = 662;'* + 106x3 + 72^^ + 
722; + 65. 

13) Sample P4{x) at 7 points x ~ 5,6,7,8,9,10,11 to 
create 7 shares: (5,p4(5)) = (5,2); (6,^4(6)) = (6,40); 
(7,P4(7)) = (7,63); (8,^4(8)) = (8,130); (9,p4(9)) - 
(9,50); (10,p4(10)) = (10,37) and (11,^4(11)) = 
(11,55). 

Any five out of the seven shares can be interpolated to 
regenerate the polynomial P4{x). This polynomial can then 
be sampled to obtain 5 = ^4(0). The 2/-coordinates of the 
samples of P4{x) at points x — 1,2,3,4 can the be mapped 
as points at x = 4, 5, 6, 7 and then interpolated to reconstruct 
P3{x), which can be sampled at x = to obtain S3 — ^3(0). 
Polynomial P3{x) can be sampled at x = 1,2,3 to obtain y- 
coordinates and map them at x = 3, 4, 5. Interpolating these 
new points we obtain P2{x) and so on. The pieces of the 
hidden secrets are retrieved in the reverse order. 

III. Conclusions 

We have proposed a recursive techniques to hide additional 
information within the shares of Shamir's secret sharing 
schemes. This hidden information may be used for validation 
of shares at the time of secret reconstruction. Further it may 



be looked upon as a way to share large secrets by dividing 
the secret in smaller pieces and recursively hiding them in the 
shares. 

Such a scheme is useful for secure transmission of infor- 
mation over parallel channels. Suppose the transmitter and 
receiver share secret identifications. The transmitter can then 
divide the identification into pieces and recursively encode it 
into the shares of the message to be sent over parallel lines. 
Transmission of shares over parallel channels provided implicit 
security and reliability. Further, the scheme may be used for 
information dispersal in storage networks. 

Future Work: It includes implementing a distributed data 
storage scheme on the Web where different servers store data 
by creating shares of the data using the proposed scheme. This 
implicitly prevents any one (compromised) server from having 
access all the user data lfT4l . Such an idea may be useful 
in cloud computing. Chord protocol and FreeNets. Issues 
regarding addressing of data shares on the network need to 
be investigated. 
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